b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nAudit Report\n\nThe Department\'s Cyber Security\nIncident Management Program\n\n\n\n\nDOE/IG-0787                           January 2008\n\x0c                             Department sf Energy\n                                 Washington, DC 20585\n\n                                January 1 6 , 2008\n\n\n\n\nFROM:\n                         /%*\nMEMORANDUM FOR THE, SECRETARY\n\n                         Greg y H. riedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "The Department\'s Cyber\n                         Security Incident Management Program\'\'\n\nBACKGROUND\n\nThe Department of Energy operates numerous interconnected computer networks and\nsystems to help accon~plishits strategic missions in the areas of energy, defense, science,\nand the environment. These systems are frequently subjected to sophisticated cyber\nattacks that could potentially affect the Department\'s ability to carry out its mission.\nDuring Fiscal Year 2006, the Department experienced 132 incidents of sufficient severity\nto require reporting to law enforcement, an increase of 22 percent over the prior year.\nThese statistics, troubling as they may be, are not unique to the Department; they are, in\nfact, reflective of a trend in cyber attacks throughout the government.\n\nThe Federal Information Security Management Act of 2002 requires each agency to\nimplement procedures for detecting, reporting and responding to cyber security incidents,\nincluding notifying and consulting with the Department of Homeland Security\'s Federal\nComputer Incident Response Center, law enforcement agencies, and Inspectors General.\nTo meet this requirement and counter the threat posed by cyber attacks, the Department\nhas established incident reporting mechanisms and various cyber security incident\nresponse and analysis capabilities to prevent, detect, respond, and recover from cyber\nsecurity incidents. Given the prevalence of cyber security attacks on Federal information\nsystems, we initiated an audit to determine if the Department had developed an integrated\nand effective cyber security incident management program.\n\nRESULTS OF AUDIT\n\nOur review identified issues that could limit the efficiency and effectiveness of the\nDepartment\'s program and could adversely impact investigations by law enforcement or\ncounterintelligence officials. In particular, we observed that:\n\n        Program elements and facility contractors had established and operated as many\n        as eight independent cyber security intrusion and analysis organizations whose\n        missions and functions we found to be, at least partially, duplicative and not well\n        coordinated. These organizations did not use a common incident reporting format\n        and did not always ensure that essential attack-related information needed\n\n\n\n                                @    Printed with soy inl: on recycled paper\n\x0c       for investigative or trending purposes was reported or retained. Sites could also\n       choose whether to participate in network monitoring activities perfonned by these\n       organizations. Further, some sites selectively disabled network sensors or "opted-\n       out" of network illonitoring activities. Even when facilities participated in\n       monitoring activities, they did not always report network monitoring data -\n       infornlatioil needed to develop a complex-wide pattern of network traffic and\n       attack patterns; and,\n\n       The Department had not adequately addressed these and related issues through\n       policy changes, even though it had identified and acknowledged weaknesses in its\n       cyber security incident management and response program. For example, its\n       recently issued cyber security incident reporting guidance does not fully address\n       reporting issues and fails to respond to coordination issues facing the various\n       cyber intrusion and analysis organizations. Also, the guidance does not\n       specifically require that incidents be reported to law enforcement or\n       couilteriiltelligence officials.\n\nIn part, many of the issues we observed were attributable to the lack of a unified,\nDepartment-wide cyber incident response strategy. As such, the Department may be\nunable to promptly and completely respond to successful attacks; recognize and develop\nresponse strategies for systematic attacks; and, in general, ensure that systems and the\ncritical, operational, and personally identifiable information they contain are adequately\nprotected. The failure to promptly and completely report serious incidents to law\nenforcement and counterintelligence officials could also cornpromise the ability of those\norganizations to preserve evidence and/or mount a successful investigation or response.\n\nTo address the risks associated with the increasing number and sophistication of cyber\nattacks, the Department, to its credit, has taken a number of actions to enhance its cyber\nsecurity program. These have included strengthening intrusion detection across the\ncomplex, improving its defense-in-depth approach to network and system protection, and\nimplementing other protective measures. To further enhance the effectiveness of its\nexisting protective measures and help improve cyber-related communication and\ncoordination, we made a number of recommendations that, if implemented, should help\nthe Department improve its ability to prepare for and respond to emerging threats.\n\nMANAGEMENT REACTION\n\nManagement concurred with our findings and recommendations. Management stated that\nimprovements need to be made to develop a more coordinated incident management\ncapability. Where appropriate, we incorporated Management\'s suggestioils into the body\nof the report and included a copy of the comments in Appendix 3.\n\nAttachment\n\ncc:   Deputy Secretary\n      Under Secretary of Energy\n      Under Secretary for Science\n      Administrator, National Nuclear Security Administration\n      Chief Information Officer\n      Chief of Staff\n      Chief Health, Safety and Sec~~rity\n                                       Officer\n\x0cREPORT ON THE DEPARTMENT\'S CYBER SECURITY INCIDENT\nMANAGEMENT PROGRAM\n\n\nTABLE OF\nCONTENTS\n\n\n    Incident Manaqement Efforts\n\n    Details of Finding ..........................................................................................................1\n\n    Recommendatioils .........................................................................................................8\n\n    Comments .....................................................................................................................9\n\n\n    Appendices\n\n    1. Objective, Scope, and Methodology ..................................................................... 1 1\n\n    2. Prior Reports ........................................................................................................ 13\n\n    3. Management Comments ........................................................................................ 16\n\x0cCYBER SECURITY INCIDENT MANAGEMENT PROGRAM\n\nManaging Cyber      The Department of Energy (Department) and the\nSecurity Response   National Nuclear Security Administration (NNSA)\nCapabilities        established and maintained a number of independent, at\n                    !east partially duplicative, cyber security incident\n                    management capabilities and have not con~pletedaction to\n                    resolve previously identified coordination problems among\n                    and between those organizations and progam elements.\n\n                          Cyber Security Incident Handling Capabilities\n\n                    In 1989, the Department established the Computer hcident\n                    Advisory Capability (CIAC) at Lawrence Livermore\n                    National Laboratory (Livennore) to address cyber security\n                    incidents and provide threat analysis for the entire\n                    Department. Yet, NNSA and various program elements\n                    elected to establish their own separate, independent\n                    computer incident analysis and response organizations with\n                    similar capabilities. As currently chartered, CIAC -\n                    managed by the Office of the Chief Information Officer\n                    (OCIO) and funded at approximately $6.8 million in Fiscal\n                    Year (FY) 2006 - provides response and advisory services\n                    to the entire Department, colnprised of 69 organizations.\n\n                    CIAC includes computer forensics and assistance in\n                    investigating and preserving cyber evidence. CIAC also\n                    maintains and analyzes an archive of cyber-related events,\n                    warns Departmental elements of security flaws in software,\n                    and disseminates patches and updates for vulnerable\n                    systems. All Departmental elements, including NNSA, are\n                    required to report persistent attempts or successful cyber\n                    intrusions to CIAC, including monthly negative reporting\n                    when no compromises or intrusions occur.\n\n                    Despite CIAC\'s capabilities - and previous designations by\n                    the Department as the organization responsible for\n                    capturing and analyzing unauthorized system activity -\n                    NNSA and other programs formed other independent, at\n                    least partially duplicative, capabilities that continue to\n                    operate. For example,\n\n                           NNSA\'s Information Assurance Response Center\n                           (IARC) provides cyber security incident prevention,\n                           detection, analysis, and mitigation to various NNSA\n                           sites - duplicating functions perfomled by CIAC.\n                           IARC was originally established in June 2000 to\n                           develop a security and network operations center\n\n\n\nPage 1                                                    Details of Finding\n\x0c                for NNSA\'s Enterprise Secure Network, a classified\n                network currently under development. However,\n                due to delays in implementing this classified\n                network, IARC\'s role evolved into its current\n                responsibilities. At the time of our review, IARC\n                performed these services for nine hNSA sites and\n                received $5 million in funding in FY 2006.\n\n                The OCIO operates the Cyber-Forensics Laboratory\n                (CFL) to provide classified computer forensic\n                assistance to all Departinental offices. CFL also\n                performs valuable secondary functions such as\n                product testing and evaluation, security training,\n                and data recovery. Sponsorship of this organization\n                was transferred from the former Office of Security\n                to the OCIO during 2004. The CIO maintained the\n                contract for CFL services even though CIAC had\n                been previously tasked with performing the same\n                type of forensic services. CFL received $1.5\n                million in FY 2006.\n\n                The Cooperative Protection Program (CPP), a joint\n                effort by the OCIO and the Ofice of Intelligence\n                and Counterintelligence (INCN), funded at about\n                $2.1 million in FY 2006, maintains external\n                network sensors that detect and help deter hostile\n                activity directed against the Department\'s\n                information technology assets. IARC, however,\n                duplicates certain CPP functions by deploying\n                network sensors at some NNSA sites. IARC\n                officials stated they deployed their own sensors\n                because the CPP sensors did not provide all the\n                information they needed. We noted however that\n                IARC could have but did not take advantage of\n                CPP\'s external network sensors. NNSA\'s three\n                largest weapon laboratories also used CPP sensors\n                instead of those deployed by IARC.\n\n         In addition to these multi-site capabilities, a number of\n         Department field organizations have developed their own\n         site-specific cyber analysis capabilities, some of which not\n         only target their activity to detect and respond to site-specific\n         threats, but also provide services to other Department\n         entities. For example, the Office of Science\'s Pacific\n         Northwest National Laboratory has provided intrusion\n         analysis support to various parts of the Department. Nuclear\n         Energy\'s Idaho National Laboratory, Los Alan~osand Sandia\n\n\nPage 2                                            Details of Finding\n\x0c         also maintain their own extensive cyber analysis capabilities.\n         While funding for these site-level capabilities is likely\n         significant, site officials told us they were unable to provide\n         individual costs because the operations are part of the site\'s\n         overall cyber security budget and were not funded separately.\n\n                          Coordination of Activities\n\n         The Department has recog~izedcertain cyber security\n         program weaknesses, specifically including probleins with\n         coordination between the various independent incident\n         response organizations. Project teams were established to\n         study this issue and to propose potential solutions. In\n         January 2005, for example, an internal study by the OCIO\n         noted that ". . .growing interconnectivity among the DOE,\n         including NIVSA sites, and recent cyber incident events\n         have demonstrated the need for an integrated approach to\n         management of cyber incidents across the entire\n         Department."\n\n         In November 2005, the Department\'s Cyber Security\n         Project Team submitted proposals for ensuring successful\n         identification and analysis of threat information and\n         reengineering the Department\'s cyber security incident\n         warning, prevention, detection, and response processes.\n         This team, led by the Office of Cyber Security Evaluation,\n         within the Office of Health, Safety and Security (HSS),\n         concluded that ". . .cyber security incident management\n         responsibilities and authorities must be clarified across the\n         Department, and coordinated approaches must be\n         established for responding to varying incident conditions."\n         Consistent with these findings, the OCIO\'s February 2006\n         plan for Revitalization of the Department of Energy Cyber\n         Security Program, similarly noted that " . . .the Department\'s\n         incident detection and response capabilities consist of\n         separate, inadequately coordinated capabilities."\n\n         Despite this recognition, the Department had yet to initiate\n         action to resolve differences in approach or eliminate\n         duplicative functions. Our review of initial action plans\n         disclosed that officials had planned to address coordination\n         issues in new, updated guidance on cyber incident response\n         and reporting. However, recently issued guidance (known\n         as CS-9, Incident Management Guidance) does not address\n         coordination and communication issues. The guidance and\n         its replacement draft policy, Cyber Security Technical and\n\n\n\nPage 3                                           Details of Finding\n\x0c         Managenlent Requirement docunleilt (known as TMR-9,\n         It~cidentMalzagenzent), also does not address the issue of\n         duplicative functionality across response organizations.\n\n         In response to the task force report, management officials\n         indicated that they planned to review the Department\'s\n         cyber security incident handling processes to clarify\n         responsibilities and authorities across the Department and\n         to coordinate approaches for responding to varying incident\n         conditions. As such, a plan to fund, develop, deploy, and\n         transition to a structured, cohesive, and consistent process\n         for performing incident warning, prevention, detection,\n         response, and management was scheduled within 60 days\n         after acceptance of the February 2006 Revitalization of the\n         Departmelzt of Energy Cyber Security Progranz. However,\n         a comprehensive plan has yet to be approved.\n\n                      Need for Improved Coordination\n\n         Our review disclosed coordination and communication\n         problems among Departmental elements regarding incident\n         response and analysis. For example,\n\n                Program and response organizations were not\n                required to adhere to a coordinated/con~mon\n                approach for incident reporting. As a consequence,\n                many incident reports reaching CIAC lacked\n                essential elements for reporting to law enforcement\n                and subsequent analysis for trending. A recent\n                examination of the CL4C incident database revealed\n                that certain information necessary for analyzing the\n                nature or origin of various penetrations had not been\n                provided by sites and other cyber incident response\n                organizations. Even though many NNSA\n                organizations used common, shared Departmental\n                networks, CIAC officials told us they were often\n                prohibited from contacting NNSA sites directly to\n                obtain missing information and were required to\n                refer all inquires to IARC.\n\n                Sites were permitted to "opt-out" of the CPP\n                network sensor initiative, thus preventing the\n                Department from acquiring a complex-wide\n                perspective of network traffic and attack patterns;\n\n                Organizations were allowed to disable network\n                sensors at any time, an action that could provide a\n                                                                -     -\n\n\nPage 4                                          Details of finding\n\x0c                             window of opportunity for individuals attempting to\n                             penetrate networks and systeills to avoid detection;\n                             and,\n\n                         a   Entities were not required to provide CPP network\n                             monitoring data to CIAC, thus preventing it from\n                             gathering a Department-wide perspective of\n                             network defenses and potentiallactual\n                             vulnerabilities.\n\n                      As a result of a sophisticated attack on the Department\'s\n                      systems, an informal network of cyber analysts across the\n                      Department formed to develop response strategies. In\n                      addition, the OCIO created a weekly threat sharing meeting\n                      attended by cyber security representatives from senior\n                      managenlent and counterintelligence. While these\n                      developments are noteworthy and promising, formal\n                      structured coordination processes and procedures, that\n                      include both Headquarters and field sites, should be\n                      established to enable the Department to respond quickly\n                      and effectively to future sophisticated attacks.\n\nIncident Management   Recent cancellation of the Department\'s detailed incident\nPolicy and Guidance   response directive and its replacement with a more general,\n                      generic guidance could also adversely impact overall\n                      incident management and response by law enforcement and\n                      counterintelligence officials. On April 1 1, 2007, the\n                      Department rescinded DOE M 205.1 - 1, its Incident\n                      Prevention, Warning, and Response (IP WAR) Ma~zualand\n                      replaced it with the less rigorous CS-9.\n\n                      Based on our review of the CS-9 and its corresponding\n                      draft policy document, TMR-9, we noted that the recently\n                      issued guidance:\n\n                         a   Does not establish a formal mechanism for\n                             implementing a requirement established by the\n                             Deputy Secretary to notify senior officials when an\n                             event is significant enough to warrant action;\n\n                         a   Lacks a structured process for disseminating\n                             information regarding sophisticated and coordinated\n                             cyber attacks;\n\n                             Fails to establish a structured process for a\n                             coordinated response to cyber attacks that impact\n                             multiple program offices and sites;\n\n\nPage 5                                                      Details of Finding\n\x0c                Does not establish clearly defined purposes, roles,\n                or responsibilities for CIAC - the organization\n                previously designated in the IPWAR Manual as the\n                Department\'s central point of contact for cyber\n                incident management;\n\n                Oinits the roles or coordination requirements for\n                other existing capabilities such as the Cyber-\n                Forensics Laboratory, the NNSA Infoinlation\n                Assurance Response Center, the Computer\n                Protection Program, and the various site-specific\n                capabilities; and,\n\n                No longer specifically requires organizations to\n                report certain cyber security incidents to the Office\n                of Inspector General (OIG), Technology Crimes\n                Section; HSS; and/or INCN within established\n                timefiames. The now cancelled IPWAR Manual\n                more clearly defined the OCIO and CIAC\'s roles\n                and responsibilities for the Department and\n                established formal procedures for when and how to\n                report specific events.\n\n         In conducting our review, we noted that the change in\n         policy guidance was not coordinated prior to its\n         implementation through the Department\'s formal web-\n         based Review and Comment System (RevCom). RevCom\n         allows the entire DepartmentNNSA complex the\n         opportunity to provide comments on proposed policy and\n         guidance documents prior to the issuance of an official,\n         final directive. As a consequence, organizations with a\n         vested interest in TMR-9, such as TNCN, HSS, or OIG\n         were not offered the opportunity to review and comment on\n         the omissions or relaxation of previously established\n         IPWAR Manual requirements. Given that the duplicative\n         and uncoordinated incident reporting structure previously\n         described evolved while the more restrictive and detailed\n         policy was in force, adopting an approach with fewer rigors\n         could result in additional cyber incident management\n         problems.\n\n\n\n\nPage 6                                          Details of Finding\n\x0cStrategy for          Many of the issues ~e observed are attributable, at least in\nManagement of Cyber   part, to the lack of a unified, Department-wide cyber\nSecurity Incidences   incident response strategy. While a number of the actions\n                      were well-intentioned and taken with a view toward placing\n                      primary responsibility for reporting and incident response\n                      at the NNSA and program-level, they have had the\n                      unintended effect of further diminishing the overall\n                      effectiveness and efficiency of the Department\'s cyber\n                      incident management capability. Lacking a unified\n                      approach, and in respoilse to the increasing number of\n                      cyber-related events affecting govenment computers and\n                      systems, various entities independently developed their\n                      own incident handling capabilities. The Department\'s\n                      current approach is also not consistent with either the\n                      Federal In formatioil Security Management Act (FI SMA) or\n                      National Institute of Standards and Technology guidance\n                      that require Agencies to develop a comprehensive plan for\n                      a well-coordinated and integrated solution for capturing,\n                      analyzing and disseminating aggregate cyber incident\n                      information across the complex.\nInformation Systems   The Department\'s current reporting and cyber incident\nAnd Networks Placed   management structure increases the risk that it will be\nAt Risk               unable to satisfy both internal and external response and\n                      reporting requirements. In certain attack or breach\n                      situations, response times are as little as 45 minutes, a\n                      deadline that is unlikely to be achieved unless a\n                      coordinated approach is adopted. In addition to ensuring\n                      that the Department\'s senior management is promptly\n                      notified and fully informed, the elimination of coordination\n                      barriers could also help ensure that the Department is able\n                      to satisfy Federal requirements to ". . .report all\n                      unauthorized system activity (cyber security incidents)\n                      quickly and accurately" and to certify annually that "both\n                      the agency and each of its components have established\n                      processes that ensure timely, accurate reporting" to the\n                      Department of Homeland Security\'s United States\n                      Computer Emergency Readiness Team (US-CERT) and,\n                      where appropriate, to law enforcement or\n                      counterintelligence authorities.\n\n                      OIG Special Inquiv Report Relating to the Department of\n                      Energy\'s Response to a Con~promiseofPersonrze1 Data\n                      (OIG Case No. 1061G001, July 2006) highlights the\n\n\n\n\nPage 7                                                       Details of Finding\n\x0c                  Department\'s continuing challenge regarding\n                  communicating, coordinating, and responding to cyber\n                  incidents. LII that case, a hacker extracted the names and\n                  social security nuinbers nf over 1,500 Federal and\n                  contractor employees from a coinputer system at the NNSA\n                  Service Center in Albuquerque, New Mexico. The\n                  intrusion was finally discovered in September 2005, and\n                  the Secretary and affected employees were not informed of\n                  the compromise of privacy data until June 2006,\n                  approximately 10 months later. The report noted that there\n                  was an unacceptable failure of communicatioil throughout\n                  all levels of the Department and stated that the\n                  Department\'s handling of this matter was largely\n                  dysfunctional. It identified the cause as (1) significant\n                  confusion of key decision makers regarding lines of\n                  authority, responsibility, and accountability; (2) poor\n                  internal communications, including a lack of coordination\n                  and a failure to share essential information among key\n                  officials; and, (3) insufficient follow-up on critical issues\n                  and decisions.\n\n                  The need to ensure that cyber incidents are handled\n                  promptly and properly is made more urgent by the Office\n                  of Management and Budget\'s (OMB) May 22,2007,\n                  memorandum M-07- 16, Safegziardirzg Against and\n                  Responding to the Breach of person all^^ Identzfiable\n                  Information. In response to a number of recent\n                  unauthorized disclosures of personally identifiable\n                  information throughout the Federal government, OMB\n                  implemented a new incident handling and reporting\n                  requirement that each agency develop and implement a\n                  policy for notifying US-CERT within one hour of the\n                  breach and also provide timely notification to affected\n                  individuals. It may be difficult for the Department to\n                  respond to this new requirement effectively unless it\n                  ensures that all incidents are properly captured, the\n                  response is properly coordinated, and that one organization\n                  within the agency has ultimate responsibility for receiving\n                  reports and handling required notifications.\n\n\nRECOMMENDATIONS   To more effectively prepare for and address emerging\n                  cyber security threats and enhance the security of the\n                  Department\'s information systems, we recommend the\n                  Department and the NNSA Chief Information Officers, in\n                  coordination with the Administrator, National Nuclear\n                  Security Administration; Under Secretary of Energy; the\n\n\nPage 8                                                  Recommendations\n\x0c             Under Secretary for Science; Chief, HSS; and the Director,\n             INCN should:\n\n                    1. Develop and implement, through policy and\n                       guidance, an enterprise-wide cyber security\n                       incident mailagen~eiltstrategy that:\n\n                         a) Establishes clearly defined lines of\n                            authority, responsibility, and\n                            accountability among the various\n                            capabilities; promotes a coordinated\n                            approach for preventing, detecting,\n                            responding to, and recovering from cyber\n                            security events; and enforces prompt and\n                            complete notification of reportable\n                            incidents to include relevant law\n                            enforcement and counterintelligellce\n                            officials;\n\n                         b) Requires all Departmental elements,\n                            including NNSA, to contribute to a unified\n                            and consistent cyber security incident\n                            management program that ensures timely\n                            and appropriate response activities, and\n                            continuity of operations; and,\n\n                          c) Leverages the use of existing capabilities\n                             and resources and eliminates unnecessary\n                             duplication, where appropriate.\n\n                   2. Apply a consistent and coordinated approach for\n                      the development of revisions to existing policies\n                      that affords all interested Departmental elements\n                      (including program, staff and support offices,\n                      and field elements) the opportunity to comment\n                      prior to issuance of official policy or\n                      requirements.\n\n                   3. Develop a mechanism to periodically test and\n                      evaluate the Department\'s overall performance in\n                      detecting, analyzing, responding, and recoveriilg\n                      from multi-site cyber security events.\n\n\nMANAGEMENT   Management agreed with the information contained in the\nREACTION     report and concurred with each of the specific\n             recommendations. The Department\'s OCIO provided\n\nPage 9                                                    Comments\n\x0c           comments that corrective actions would be taken on\n           specific findings and that it would contiilue to work to\n           improve its cyber security incident management\n           capabilities. Specifically, the OCIO is currently drafting a\n           new incident mailagement approach called the integrated\n           Enterprise Incident Capability (EIC). The intent is to\n           restructure the Department and NNSA\'s cyber incident\n           detection, response, reporting, and management capabilities\n           to enhance the ability to detect, prevent, respond, and\n           recover from computer security events. The OClO plans to\n           conlplete the written strategy for the EIC, including DOE-\n           wide review, no later than March 3 1, 2008. Appropriate\n           policies and implementation plans, which will leverage\n           existing DOE and NNSA processes to the maximum extent\n           practical, are scheduled for release shortly thereafter.\n\n           The Under Secretary for Science provided comments on the\n           report that were incorporated into the response provided by\n           the CIO. Electronic comments provided by NNSA\n           indicated that it concurred with the recommendations.\n\n\nAUDITOR    Management\'s comments are generally responsive to our\nCOMMENTS   recommendations.\n\n\n\n\nPage 10                                                  Comments\n\x0cAppendix I\n\nOBJECTIVE     The objective of this audit was to determine whether the\n              Department of Energy (Department) developed and\n              iinplenlented an integrated and effective Cyber Security\n              Incidel~tManagement Capability.\n\n\nSCOPE         We conducted the audit from November 2005 to August\n              2007 at Headquarters offices in Washington, D.C., and\n              Germantown, MD; Lawrence Livennore National\n              Laboratory, in Livermore, CA; Lawrence Berkeley\n              National Laboratory in Berkeley, CA; Pacific Northwest\n              National Laboratory in Richland, WA; and the National\n              Nuclear Security Administration\'s Infomlation Assurance\n              Response Center facility in Las Vegas, NV. The scope of\n              the audit covered the Department\'s cyber incident analysis\n              capabilities.\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                     Reviewed applicable Federal laws and\n                     Departmental directives;\n\n                     Reviewed standards and guidance issued by the\n                     National Institute of Standards and Technology;\n\n                     Performed site visits and interviewed pertinent\n                     personnel involved in cyber analysis activities;\n\n                     Evaluated activities and capabilities performed at\n                     the program and site levels; and,\n\n                     Determined funding information related to cyber\n                     analysis capabilities.\n\n              The audit was conducted in accordance with generally\n              accepted Government auditing standards for performance\n              audits and included tests of intenlal controls and\n              compliance with laws and regulations to the extent\n              necessary to satisfy the audit objective. We assessed\n              compliance with the Govenlmerzt Perfornzance arzd Results\n              Act of 1993 related to the Department\'s cyber analysis\n              capabilities and found that the Department had established\n              performance measures associated with strengthening its\n              comprehensive cyber security program. Because our\n              review was limited, it would not necessarily have disclosed\n              all internal control deficiencies that may have existed at the\n\n\nPage 11                           Objective, Scope, and Methodology\n\x0cAppendix I (continued)\n\n                    time of our audit. We did not conduct a reliability\n                    assessn~eiltof computer-processed data because we did not\n                    rely on computer-processed infom~ationto achieve our\n                    audit objective.\n\n\n\n\nPage 12                               Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                    APPENDIX 2\n\n                                 PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n      Evalltatiorl Report 011 the Departr7zerzt\'s Urzclassrjied Cyber Security Program -\n      2007 (DOEIIG-0776, September 2007). As reported in previous years, risks to\n      the Department of Energy\'s (Department) information and systems remains higher\n      than necessary. The threat of comproinise continues to grow as the Department\n      introduces additional systems and network interconnections, and permits\n      emerging techilologies. In addition, external network scanning and probing\n      activities being conducted by nefarious individuals are escalating. As a result, the\n      number of cyber security incidents reported to the Computer Incident Advisory\n      Capability (CIAC), including infonnation system and data con~promisesand\n      introduction of malicious code, is at its highest level in three years. Emphasis on\n      protecting personal infom~ationrequires effective security controls over sensitive\n      infom~ationmaintained on agency systems.\n\n      Security over Personally Identzfiable Infornzation (DOEIIG-0771, July 2007).\n      The Department had not fully implemented all protective measures for\n      information systems that contain personally identifiable infomlation (PII)\n      recommended by the Office of Management and Budget and required by the\n      National Institute of Standards and Technology. In particular, seven of eleven\n      field sites reviewed (3 Federal, 8 contractor) had not identified information\n      systems containing PIT, or fully evaluated the risks of exposing PI1 stored in such\n      systems. Controls for securing remote access to site-level systems containing\n      personal information had not been fully implemented; and five sites had not\n      identified mobile computing devices containing PI1 or ensured that this\n      information was encrypted as required.\n\n      Evaluation Report on the Departmerzt\'s Unclasszjied Cyber Security Progranz -\n      2006 (DOEIIG-0738, September 2006). While positive actions have been taken,\n      deficiencies continued to leave critical systems exposed to an increased risk of\n      compromise. Specifically, the Department had not completed a complex-wide\n      inventory of major information systems, certification and accreditation packages\n      lacked essential elements, contingency planning was incomplete, and access\n      controls and configuration management were inadequate. Continuing cyber\n      security weaknesses occurred, at least in part, because program and field elements\n      did not always implement or properly execute existing Departmental and Federal\n      cyber security requirements. In a number of instances, cyber security weaknesses\n      that were identified were not addressed in a timely manner or tracked to\n      resolution. As a consequence, the Department\'s information systems and\n      networks and the data they contain remain at risk of compromise.\n\n\n\n\nPage 13                                                                Prior Reports\n\x0cAppendix 2 (continued)\n\n     Special 111q1liq;Report Relating to the Departnierzt o f Ener,q)sls Response to a\n     Conzpro~?ziseof Perso~inelData (OIG Case No. 106IG001, July 2006). A hacker\n     extracted a file containing the names and social security ilun~bersof 1,502\n     National Nuclear Security Administration (NNSA) Federal and contractor\n     employees from a coinputer system at the NNSA Service Center in Albuquerque,\n     New Mexico. Neither the employees affected nor appropriate officials were\n     properly notified until about ten months after the successful intrusion had been\n     detected. In addition, there was a lengthy delay in the Department\'s completion of\n     an impact assessnlent on the intrusion. The Department\'s handling of this matter\n     was largely dysfunctioilal and the operational and procedural breakdowns were\n     caused by questionable managerial judgments; significant confusion by key\n     decision makers as to lines of authority, responsibility, and accountability; poor\n     internal communications, including a lack of coordination and a failure to share\n     essential information among key officials; and, insufficient follow-up on critically\n     important issues and decisions. The bifurcated organizational structure of NNSA\n     within the Department conlplicated the situation.\n\n     The Departrizent\'s UnclasszJied Cyber Security Program - 2005, (DOEIIG-0700,\n     September 2005). Significant improvements were still needed in the areas of\n     password management, configuration management, and restriction of network\n     services. In addition, sites failed to report computer intrusions or other cyber\n     security events to law enforcement officials, as required. Departmental elements\n     notified the Office of Investigations of only 60 of the 108 qualifying cyber\n     security events that occurred in Fiscal Year (FY) 2005, jeopardizing the ability to\n     promptly investigate potential criminal cyber security activity. This problem\n     exposed the Department\'s critical systems to an increased risk of con~promiseand\n     occurred, at least in part, because program and field elements did not always\n     implement or properly execute standing Departmental and Federal cyber security\n     requirements.\n\n     Audit Report or1 Itnplementatio~zof Indications, Warning, Arzalysis and Reporting\n     Capability (DOEIIG-063 1, December 2003). Fifty-four percent of the\n     Department\'s organizations were not reporting cyber security attacks, probes, or\n     con~pron~ises to the (CIAC) as required by Departmental directives. Even when\n     organizations reported successful intrusions to CIAC, they were not always\n     reported to oversight officials or law enforcement for investigation. The\n     Department had not developed and implemented a program to monitor security\n     incident reporting and had not established performance goals to measure the\n     success of policy implementation. Untimely and inaccurate incident reporting\n     impeded the Department\'s ability to adequately protect information resources,\n     increased inforn~ationsystems costs, and affected mission accomplishment.\n\n     Virus Protection Strategies and Cyber Security Incident Reporting (DOEIIG-\n     0500, April 2001). The Department\'s virus protection strategies and cyber\n     security incident reporting methods did not adequately protect systems from\n     damage by viruses and did not provide sufficient infornlation needed to manage\n\nPage 14                                                               Prior Reports\n\x0cAppendix 2 (continued)\n\n      its network intrusion threat. Further, specific perfoinlance goals related to virus\n      protectioil and cyber security event response had not been developed as required\n      by the Gover-lzment Pe~for.nrrt~~ceand Results Act of 1993. While the Department\n      had developed and implemented an incident response capability, inconsistent\n      reporting by over 50 percent of sites and program elelnents hampered critical\n      efforts to analyze threats and formulate countermeasures. Inconlplete reporting\n      left intenlal oversight organizations unprepared to effectively respond and\n      potentially jeopardized systems of agencies, since accurate threat data could not\n      be provided to national-level organizations such as the Federal Computer Illcident\n      Response Capability and the National Infrastructure Protection Center. These\n      problems occurred because the Department had not developed and implemented\n      an effective enterprise-wide protection strategy.\n\nGovernment Accountability Office (GAO) Reports\n\n      I~i$or~?iation\n                   Security: Persistent Weak~iessesHighlight Need for Further\n      Impro~~enient  (GAO-07-751T, April 19, 2007). GAO noted that organizations can\n      reduce the risks associated with intrusions and misuse if they take steps to detect\n      and respond to these events before significant damage occurs, analyze the causes\n      and effects of the events, and apply the lessons learned. Federal agencies are\n      required to report incidents to the Federal information security incident center,\n      (Computer Emergency Readiness Teanl), and reported a record number of\n      incidents in FY 2006. However, there is inconsistent reporting at various levels\n      throughout the government. If agencies do not properly capture and analyze\n      security intrusions, they risk losing valuable infornlation needed to prevent future\n      exploits and understand the nature and cost of security threats.\n\n\n\n\nPage 15                                                                Prior Reports\n\x0cAppendix 3\n\n\n\n\n                                           Department of Energy\n                                                \\\':ash~nqron   OC 20585\n\n\n\n\n          \\11-\\~lOK.\\\\UC:M FOR RICK[?\\. R. WASS\n                               .-\\SSISTASI- IVSt\'E(~T0KC J E K I ~ K : ~FOR       ~.\n                                  I \' X L I K O S l l l i h T . SC\'lEliC\'E A S D CORPORATE ;2L:DITS\n\n\n                                      RI(:HAI<D h 1 0 0\n\n                                      OFFICE OF THE U N D E R SECREI\'.MY OF E S E R G Y\n\n          S[!BJEC\'T:                  Cornrncn~son Drafi Report on "The Departmcnr\'s Cybcr\n                                      Security Incidcnt >tanagernenr Capability"\n\n          Ilic Orlice ol\'lhc Cinder Seirrt;lr) oTF.;.ncry!; apprcci;~lesthe o p p o ~ ~ u nto  ~ tre\\.icrr\n                                                                                                   y       the\n          (11G dlxfi repolt or1 "\'1-he Depannlent\'s CIybcr Sccurity Incido?l 3la1lagcmerl1\n          (\'ninl>iIi~y."\\ \\ c ai.ccl)t he principle that thc Ilepanment should coordiilatc its cyher\n          \\ ~ C U : I I ) . itlc~denlmanagernem capab~lir)and \\ r e rvi\'ll work rloscly with the C10 lo\n          iiddrcss rhc rzcorn~ncnda~ions       presented\n\n\n\n\nPage 16                                                                              Management comments\n\x0cAppendix 3 (continued)\n\n\n\n\n                                         Department of Energy\n                                              Washington. DC 20585\n                                               December 19, 2007\n\n\n            MEMORANDUM FOR RICKEY R. HASS\n                           ASSISTANT INSPECTOR GENERAL FOR\n                           ENVIRONMENT, SCIENCE AND CORPORATE\n                           AUDITS\n\n            FROM:                      THOMAS N . PYKE, JR.\n\n\n            SUBJECT:                   Draft Report on The Department \'s Cyher Securily\n                                       lncitlent Munagement Capobilily\n\n            Thank you for the opportunity to coniment on this draft report. The information\n            PI-ovided is consistent with our own observations about improvements that need to\n            be ~ n a d eto dcvelop a more coordinatcd incidcnt management capability. The\n            Office o f the Chief Information Officer (OCIO) generally concurs with the\n            recornn~endationsas indicated below:\n\n            Recommendation 1 : Develop and brrplernent, throrrgh policy untlgrti~lunc~e,\n                                                                                      utr\n            errterprise-wirlecyber security i~rciclenrtnanagemmt strategy that:\n\n                    a ) Estuhlislres clecrrly clefined lines ofarithority, responsibility. trnd\n                        uccou~~mhility  amotlg the various capdbilities: promotes u coordi~rutetl\n                        approtrchfor preventit~g,defecting, responding to, and recoveritrg\n                       fronr cyber security events; arrtl etr/orces prompt und cotnplete\n                        tro~rjicationof reporfable inci~lentsto itrclude relei~unlIuw\n                        etr/orce~~le~lt\n                                      atid counterintelligence ofliciuls;\n\n                   b) Requires all Departtnental elen~ents,including NNSA, ro coritrihrtte to\n                      a unified and consislent cyber secrtrity itrcident mcrtrugenzent progrun~\n                      tlrat ensures timely and appropriale response activities. ~ n tcontinurtv\n                                                                                       l\n                      of operutions; u11c1\n\n                    c) Leverages rhe llse ofexisting copcrbilities rrnd resortrces untl elit~rinufes\n                       u~r~recessuq~\n                                   duplicarion, where appropriate.\n\n            Concur. The OCIO is currently drafting a new incident ~nanagementapproach\n            called the integratcd Enterprise Incident Capability (EIC). The EIC intciids 10\n            rcstructurc the Department of Energy (DOE) and National Nuclear Security\n            Administration (NNSA) cyber incident detection, response, reporting, and\n            ~iianageme~it  to enhance the ability to detect, prevent, respond, and recover fiam\n            computer security events. It aims to assist the Department in identifying potentla1\n            risks as far in advancc of a potential incident as is possiblc and integrating thc\n            identified risks with post-event response and recovery when necessary. dnother\n\n\n\n\nPage 17                                                                  Management Comments\n\x0cAppe~idix3 (continued)\n\n\n\n\n           objeclive is to identify the vulnerabilities within the DOE compt~li~ig        c~ilcrpl-isc\n           so that they can be mitigated or minimized before lhcy are exploited.\n           i~nplementingthe EIC provides DOE with the capability to consolidate ant1\n           correlate security event information from each element o f thc Dcpartrnen~.l\'his\n           capab~lityallows for the effcctive management of information during the critical\n           niolnents o f ~ n ~ t i a t i nincident\n                                           g       response and providcs a focal point for\n           management of cyber Incidents in the Department.\n\n           The OClO intends to cornpletc its written EIC strategy, including DOE-wide\n           review. no laler than March 31, 2008. Appropriale policies and imple~nentation\n           plans, which will leverage existing DOE and NNSA processes to the maximum\n           exlent practical, will follow shortly thereafter.\n\n           Reco~ii~nendation   2: Apply a corrsisre~l~und coortlirrared rrpprouchfor rhe\n           rle~~clopr~ler~l\n                          of~woposedo r revrsiorr 10 exisringpolicres rhar qflords trll rrlrere~reil\n           Depur~ri~et~rtrlelcntrrlrs (irrcludir~gprogrr~m,srrrjlundsupporr ofltes, rrndficltl\n           ~,lerrlcnrs)rhe opporrurri~v10 rornnlenr prior 10 issuurlce of ofirrtrlpolrrv or\n           r~cyrrrrenrerlls.\n\n           Concur. The Department is committed to employing the DOE Directives process\n           lo issue formal, DOE-wide minimum standards for cyber security, including\n           standards that govern incident handling. This process will ensure a full\n           opportunily for comlnent prior to issuance of policy.\n\n           Kecomlnendation 3: Develop u mechtrnisnl ~opcriodicrrllyresr rrntl c,v[rlrclr~c,rhe\n           Deptrr~r~renri overull performur~cein derecring, urrulyzing. respor~~lrrlg.\n                                                                                    or\n           rer.oi~cr.ingfronlnrrrl~i-sirecyher secirr-ir)~ei~errrs.\n\n           Concur. The Department\'s cyber security incident response capabilities are\n           periodically tested and evaluated through several planned, independent activiticr.\n           The Deparlment participates in a biennial world-wide cyber incidenl exercisc\n           called Cyber Storni, sponsored by the Department of Homeland Security. Cyber\n           Storm is intended to act as a catalyst for assessing communications, coordination,\n           and partnerships across the public and private sectors in the event of a cyber\n           artack. Cyber Storm scenarios are simulations using fictitious technical\n           vul~ierabilitiesand threats. For the upcoming Cyber Storm I1 exercise. two large\n           DOE laboratories have volunteered to participate and will be able to assess thcir\n           sitcs\' coni~nunicationsand coordination efforts within the Department. The\n           Department also undergoes annual penetration testing (Red Team) by a highly\n           skilled team from an external agency, which tests DOE\'S ability to detect ant1\n           respond to the mock attacks.\n\n           For additional information, please contact Carol Williams, Deputy Associate C\'IO\n           for Cybcr Security ar (202) 586-6378.\n\n\n\n\nPage 18                                                                          Management Comments\n\x0c                                                             IG Report No. DOEI1G-0787\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our custonlers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this fori11, you may suggest improvenlents to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background inforn~ationabout the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and reconlinendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken 011 the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this f o m ~you\n                                    , may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG- 1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.enerey.pov\n\n  Your comments would be appreciated and can be provided on the Custon~erResponse Form.\n\x0c'